Installation on Debian

From Linux-VServer

This guide is written against Debian Etch (4.0) and works on Lenny (5.0) as well. Both releases include kernel linux-image-vserver-686, so no manual patching is needed. Hence, Installation on Debian Etch/Lenny is pretty easy and straightforward.

Versions

Debian already contains vservers kernels, so no manual patching and compiling is needed.

Debian release

Kernel version

VServer version

Etch

2.6.18+6

2.0.2.2-rc9

Lenny

2.6.26+17

2.3.0.35

Issues with the current 2.6.26 Kernel

Linux-Vserver uses file xattrs to protect guest superusers from being able to view files above their root, preventing access to host file. The patch used in Debian Lenny contains a different position of the flag which controls this barrier to escaping a guests chrooted enviroment. There is also a discrepancy between the immutable-unlink flag used for file unification. This creates a considerable security issues for anyone who:

has created a guest with a Debian 2.6.26-*-vserver kernel and wishes to use it with another kernel.

has created a guest with a different kernel and wishes to use it on a Debian 2.6.26-*-vserver kernel based host.

has unified guests with a Debian 2.6.26-*-vserver kernel and wishes to use them with another kernel.

has unified guests with a different kernel and wishes to then it on a Debian 2.6.26-*-vserver kernel based host.

In effect, the barrier normally in place for guest servers is not recognised by the kernel in the situation above and/or immutable links will not function correctly for unified guest set up.

fixing the problem

As of writing this issue has not been corrected within the Debian archive. To fix the barrier flags for a current kernel, see these instructions. In order to fix the problem in unified environment each file on each server must be unlinked then the unification re-applied. These fixes must be applied whenever moving vserver guest from or to the Debian 'Lenny's vserver kernel.